A joint operation between French and Bulgarian law enforcement backed by Europol’s European Cybercrime Centre (EC3) has brought down a carding gang operating out of Bulgaria and targeting victims in France and other European countries.

11 people were arrested and 29 properties searched on 20 May 2014.

That was the “action day” for a plan referred to as Operation Echo, the result of over a year investigating and tracking the gang.

Raids were closely synchronised from a central command post in Silistra, Bulgaria, one of three main cities hosting the gang’s operations. The EC3 provided a mobile office to help coordinate the searches and arrests.

The raids discovered three separate bases for building card skimming equipment in the coastal city of Varna, described by Europol as “complex production sites.” Searches of these factories uncovered card reading kit, blank cards and miniature cameras for recording victims’ PIN numbers as they entered them.

Elsewhere police also found ample equipment for producing counterfeit cards, including card strip reading and writing equipment and associated computers and data storage. They also uncovered stashes of faked cards with their associated PIN codes.

Europol believes the gang’s skimming activities centred around French provincial cities such as Nancy, Metz and Lyon, with other countries in the EU also hit.

Skimmed cards were cashed out at ATMs outside the EU, with the South East Asian nations of The Philippines, Malaysia and Indonesia cited as examples.

The costs of skimming

The arrests should serve as a reminder of the costs of card skimming.

In a world where huge hauls of card and bank account data can be harvested in moments due to huge network compromises, there’s still enough value in one-by-one card cloning to make it a worthwhile activity for crooks.

The best way to reduce your exposure to skimming is to stick to simple watchwords of vigilance and caution.

Check out your ATM before using it – look for small holes and loose or ill-fitting components. Be wary of people lurking nearby trying to see your PIN, and cover your hand as you enter it to minimise the chances of a hidden camera reading it.

Of course, with the advent of 3D printing, it’s much easier to produce realistic card slot covers and panels to hide skimming and micro-camera equipment, and there’s even a chance that guy lurking behind you could use thermal imaging to figure out your PIN even if he couldn’t see you entering it.

Even a simple card catching device can be a danger anywhere you insert your card into a cash machine.

Card catchers snag your card so the ATM shuts down, leaving you to assume that your card was retained by the bank; in fact the crooks can work it free later and recover it.

What next?

With recent revelations about cryptographic flaws in the Chip and PIN system, it’s clear that the technology is far from a panacea, but the global adoption of Chip and PIN will put significant extra hurdles in the way of the card cloning crooks.

In the long run, we may well need a more sophisticated way of identifying ourselves to our bank machines and sales terminals.

Whether that turns out to be something that more accurately recognizes us by our physical features, such as vein patterns, or a solution using our ubiquitous mobile devices, it’s unlikely to be completely fraud-proof.

Post navigation

About the author

John Hawes is Chief of Operations at <a href="http://www.virusbtn.com">Virus Bulletin</a>, running independent anti-malware testing there since 2006. With over a decade of experience testing security products, John was elected to the board of directors of the Anti-Malware Testing Standards Organisation (<a href="http://www.amtso.org">AMTSO</a>) in 2011.